Beware Mac Users: Flashback Botnet Issue Discovered

April 5, 2012

Russian Security Firm Dr. Web says they´ve discovered a botnet infecting nearly half a million Macs worldwide. The firm made their announcement on Wednesday about the more than 550,000 infected Macs. Later in the day, however, their malware specialist Sorokin Ivan increased this number, saying he had discovered more than 600,000 Macs on the botnet, with 274 of these Macs located at Apple´s headquarters in Cupertino, according to Ars Technica.

Though no other security firm has been able to corroborate these numbers, such a discovery raises concern for Mac users as they are usually less likely to contract a virus malware on their machines.

In a blog post describing the outbreak, Dr. Web said they had been studying the Trojan responsible for infecting the computers, called Backdoor.Flashback.39. Of all the infected machines, 12% were located in the UK, 19% were located in Canada, and more than 50% were housed in America.

Dr Web´s blog said, “Systems get infected with BackDoor.Flashback.39 after a user is redirected to a bogus site from a compromised resource or via a traffic distribution system,” it said. “JavaScript code is used to load a Java-applet containing an exploit. Doctor Web´s virus analysts discovered a large number of web-sites containing the code.”

A list of infected sites is found on Dr. Web´s site and most of them are from Russia, using the .ru domain. The blog also mentions the possibility of up to 4 million compromised web pages on a Google SERP.

This variant of the backdoor flashback trojan targeted an unpatched Java vulnerability within Mac OSX. While Apple has yet to patch the vulnerability, Oracle released a patch in February of this year, according to Ars Technica.

Like other versions of the trojan, this backdoor flash variety is found on infected websites. When a user visits one of these websites, the trojan will install itself on the computer and begin to communicate with the rest of the botnet, sending consecutive queries to control server addresses.

While there is never a bad time to exercise caution on the net and confirm your system´s security, some in the security field are asking for these numbers to be confirmed and verified. According to the Inquirer, a message on Twitter from F-Secure´s Mikko Hyponned said they could neither confirm nor deny the figures in the report. Information Security expert Adrian Sanabria urges caution, but also says he has some suspicions, as Dr. Web are makers of anti-virus software. They may be trying to push their product as well as alert Mac users to this potential security flaw.

“However, given that the company reporting these numbers is in the business of selling anti-virus software, I think we need to see their claims corroborated before we get too excited,” Sanabria said in his newest report.

Security company F-Secure has published instructions on how to determine whether or not your Mac is infected. The method for retrieval and disinfection is listed as being recommended only for advanced users, as it involves diving into the Terminal, the application used to communicate directly to a Mac´s inner code.

Overall, all users, be they users of Macs or PCs are urged to use caution. Macs have had a reputation of being less-prone to malware and other infections, though they are certainly not invulnerable to these kinds of threats. It is important to be aware of what websites are being visited, and to not click any links or download any file that may be suspect.